TencentOS Server 3: nodejs (TSSA-2022:0262)

🗓️ 16 Jun 2025 00:00:00Reported by TenableType

TencentOS Server 3 has multiple vulnerabilities in Node.js; updates are necessary for security fixes.

Reporter	Title	Published	Views	Family All 1327
IBM Security Bulletins	Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities	16 May 202420:23	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to Node.js (CVE-2022-43548 & CVE-2022-35256)	6 Jan 202314:37	–	ibm
IBM Security Bulletins	Security Bulletin: IBM DataPower Gateway potentially affected by various vulnerabilities in Node	29 Jul 202218:33	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Marked, Minimatch and Logback might affect IBM Storage Defender Copy Data Management	26 Sep 202519:29	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cognos Analytics Mobile (Android) is affected by multiple vulnerabilities	21 Oct 202415:52	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in node.js	14 Apr 202215:54	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to loss of confidentiality due to CVE-2022-29244	4 Nov 202218:15	–	ibm
IBM Security Bulletins	Security Bulletin: IBM has announced a release for IBM Security Verify Governance in response to a security vulnerability (CVE-2022-21824)	6 Oct 202218:50	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to minimatch denial of service (CVE-2022-3517)	7 Dec 202220:26	–	ibm
IBM Security Bulletins	Security Bulletin: A vulnerability in minimatch may affect IBM Robotic Process Automation and result in a denial of service (CVE-2022-3517)	25 Jan 202320:41	–	ibm

Source	Link
mirrors	www.mirrors.tencent.com/tlinux/errata/tssa-20220262.xml
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2022:0262.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(239196);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/12/05");

  script_cve_id(
    "CVE-2021-44531",
    "CVE-2021-44532",
    "CVE-2021-44533",
    "CVE-2022-21824",
    "CVE-2022-29244",
    "CVE-2022-32212",
    "CVE-2022-32213",
    "CVE-2022-32214",
    "CVE-2022-32215",
    "CVE-2022-3517",
    "CVE-2022-35255",
    "CVE-2022-35256",
    "CVE-2022-43548"
  );

  script_name(english:"TencentOS Server 3: nodejs (TSSA-2022:0262)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 3 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2022:0262 advisory.

    Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

      CVE-2022-43548:
      A OS Command Injection vulnerability exists in Node.js versions 14.21.1, 16.18.1, 18.12.1, 19.0.1 due to
    an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly
    check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this
    issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is
    to complete the fix.

      CVE-2022-3517:
      A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of
    Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of
    Service.

      CVE-2022-35255:
      A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with
    EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems
    with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can
    (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically
    strong and therefore not suitable as keying material.

      CVE-2022-35256:
      The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are
    not terminated with CLRF. This may result in HTTP Request Smuggling.

      CVE-2022-32212:
      A OS Command Injection vulnerability exists in Node.js versions 14.20.0, 16.16.0, 18.5.0 due to an
    insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check
    if an IP address is invalid before making DBS requests allowing rebinding attacks.

      CVE-2022-32213:
      The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly parse
    and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

      CVE-2022-32214:
      The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not strictly use the
    CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

      CVE-2022-32215:
      The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly handle
    multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

      CVE-2022-29244:
      npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace
    or with a workspace flag (ie. `--workspaces`, `--workspace`). Anyone who has run `npm pack` or `npm
    publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published
    files into the npm registry they did not intend to include. Users should upgrade to the latest, patched
    version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0
    include the patched v8.11.0 version of npm.

      CVE-2021-44531:
      Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a
    particular SAN type, can result in bypassing name-constrained intermediates. Node.js  12.22.9,  14.18.3,
    16.13.2, and  17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally,
    when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix
    for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be
    reverted through the --security-revert command-line option.

      CVE-2021-44532:
      Node.js  12.22.9,  14.18.3,  16.13.2, and  17.3.1 converts SANs (Subject Alternative Names) to a string
    format. It uses this string to check peer certificates against hostnames when validating connections. The
    string format was subject to an injection vulnerability when name constraints were used within a
    certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this
    escape SANs containing the problematic characters in order to prevent the injection. This behavior can be
    reverted through the --security-revert command-line option.

      CVE-2021-44533:
      Node.js  12.22.9,  14.18.3,  16.13.2, and  17.3.1 did not handle multi-value Relative Distinguished
    Names correctly. Attackers could craft certificate subjects containing a single-value Relative
    Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in
    order to inject a Common Name that would allow bypassing the certificate subject verification.Affected
    versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not
    vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation
    of certificate subjects may be vulnerable.

      CVE-2022-21824:
      Due to the formatting logic of the console.table() function it was not safe to allow user controlled
    input to be passed to the properties parameter while simultaneously passing a plain object with at least
    one property as the first parameter, which could be __proto__. The prototype pollution has very limited
    control, in that it only allows an empty string to be assigned to numerical keys of the object
    prototype.Node.js be equal or greater than 12.22.9, be equal or greater than 14.18.3, be equal or greater
    than 16.13.2, and be equal or greater than 17.3.1 use a null protoype for the object these properties are
    being assigned to.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20220262.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-21824");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-35255");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/12/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/12/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:nodejs");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 3.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'nodejs-18.12.1-2.module+el8.6.0+395+e5e272c2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-18.12.1-2.module+el8.6.0+395+e5e272c2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-debuginfo-18.12.1-2.module+el8.6.0+395+e5e272c2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-debuginfo-18.12.1-2.module+el8.6.0+395+e5e272c2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-debugsource-18.12.1-2.module+el8.6.0+395+e5e272c2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-debugsource-18.12.1-2.module+el8.6.0+395+e5e272c2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-devel-18.12.1-2.module+el8.6.0+395+e5e272c2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-devel-18.12.1-2.module+el8.6.0+395+e5e272c2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-docs-18.12.1-2.module+el8.6.0+395+e5e272c2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-full-i18n-18.12.1-2.module+el8.6.0+395+e5e272c2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'nodejs-full-i18n-18.12.1-2.module+el8.6.0+395+e5e272c2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'npm-8.19.2-1.18.12.1.2.module+el8.6.0+395+e5e272c2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'npm-8.19.2-1.18.12.1.2.module+el8.6.0+395+e5e272c2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nodejs / nodejs-debuginfo / nodejs-debugsource / etc');
}

05 Dec 2025 00:00Current

7.6High risk

Vulners AI Score7.6

CVSS 26.4

CVSS 3.19.1

EPSS0.86472

SSVC